I realize this question may be quite broad (and hopefully not a violation of the FAQs), but I'm interested in hearing how many of you handle a computer infected with Malware.

In a small-to-medium business (heck, even large businesses like the New York Times), acquiring malware seems like an inevitability. Despite putting checks and balances in-place (updated workstations with security patches/java/flash, up-to-date anti-virus software, spam filters, etc.), viruses still penetrate through the cracks and some are able to execute.

My question is not so much about the prevention of viruses, but rather what you do with that workstation after it's been discovered that it has been compromised. Obviously we'd all feel more comfortable with the old NIFO stance, however many of us are strapped for resources and don't have time to always be re-imaging machines — especially if the bugs show only with "on-demand scans" and don't appear to have executed.

I'm curious as to what others in my situation are doing once a machine is found to be compromised. Is a "revert to old restore point and on-demand scan in safe mode" enough, or do you guys always re-image a machine?

I can tell you from personal experience (we were down for 3 weeks in December) Nuking is the only thing you can do. I'm not our IT person I'm a programmer, but I recommended that we Nuke, instead the president (its a small company only 30ish employees) went with our IT's plan, which was to try and contain, and remove. Well he finally (after the virus showed up on the network for the third time, and killed our server) went with Nuking. It took 2 days and then we were back up, with out any issues since then. Your ONLY option is nuking.
–
ryanFeb 1 '13 at 21:36

2

Not only is nuking safer, in most cases it's a faster solution than troubleshooting a virus.
–
PickleFeb 1 '13 at 21:42

Bullshit. How running one scan/remove pass that is enough for most simple viruses is any faster than reimaging and having to reconfigure entire workflow?
–
Oleg V. VolkovFeb 2 '13 at 1:00

@ryan, if your SERVER can be destroyed from LAN, then viruses and nuking of WORKSTATION is the least of your problems.
–
Oleg V. VolkovFeb 2 '13 at 1:05

to discover them easier run full scans regularly (as in daily) on every computer no exceptions
–
ratchet freakFeb 2 '13 at 14:19

8 Answers
8

Nuke it from orbit. The only way to be sure it is gone once it is compromised is to blow it away entirely. Restore checkpoints only help for configuration issues, a virus can alter the previous configurations or install itself in such a way it survives a restore. If it's just adware, then removal may be sufficient, but viruses can be very sneaky.

It might be possible to get rid of it completely, but it will take more time (days) than nuking and rebuilding in most cases, particularly if regular backups are kept.

Edit: As Oleg was kind enough to point out. If your re-imaging from a hidden partition on the computer, it is possible that the image could have also been infected. It's also possible that the BIOS (or other firmware in hardware) could have been infected in very rare cases, in which case you are looking at a major pita to get rid of it. Luckily 99.99%(my approximation) of the time, it isn't hardware resident yet.

No, it is not a way to be sure. FWIW it could already be on your image or boot system out of reach.
–
Oleg V. VolkovMar 6 '13 at 13:16

@OlegV.Volkov Getting on the image would be hard if it is the installation media (rather than one of those stupid manufacturers that ONLY gives you a recovery partition). The BIOS is a valid point, though those are more rare and if you have one, the answer is going to be far more of a pain than a simple Q/A site is going to be able to explain in a universal sense. But it is still a valid point.
–
AJ HendersonMar 6 '13 at 13:59

@AJHenderson "rebuilding in most cases, particularly if regular backups are kept" - always was wondering about that - isn't this, just about, as much of the reinfection vector as trying to clean it out, since virus may've infected the data files and is thus in the backup itself? I suppose if detection of infection is near-immediate, then chances are small; but what are the chances of near-immediate detection? Wouldn't restoring the backups carry relatively similar reinfection risk as cleaning out the virus?
–
LB2Mar 31 '14 at 13:46

@LB2 - this is why backups shouldn't be kept attached to the computer. A backup should be on an external drive. That said, it is far less likely that a particular virus knows how to hide in a particular type of backup file than it is that it knows some general mechanism of hiding on a complex system that you can't possibly hope to find it in.
–
AJ HendersonMar 31 '14 at 13:55

@AJHenderson Right, but that's not quite what I meant. There are plenty of viruses that infect .doc files (or picture files, or ...). User acquires infected document and saves to their documents/picture/etc folder. Backup runs and backs up the infected file(s). Later infection is detected (wherever, not necessarily in original file), machine de-orbited, burned, and phoenix-reborn. Backup restored - along with original virus inside that document (or picture, or ...). Virus need not know how to find backups to infect - it simply piggies-back onto backup stream unknowingly to itself.
–
LB2Mar 31 '14 at 14:29

Nuking is mandatory. That being said, I don't erase the old image; I keep the data files somewhere, to be resurrected after due inspection. For instance, I don't destroy mailboxes; I scan them for attached files which look like executable files, and, when found clean, I put them back on line.

For the base OS and all its binaries, cleansing flame is the rule. It is so much faster to just reinstall the machine anyway...

Monitoring to make sure the malware was completely removed takes more time, effort and skill than re-imaging or re-installing the machine.

Antivirus is mainly reactive by design and will detect initial infections. Malware will download new variants to stay ahead of detection so you can't know for sure that AV removed all bad code and repaired configuration changes.

In theory, rootkits can control everything you see (The Matrix style) so you can't be sure of anything while running the infected machine. I've seen rootkits that "hide" the malware traffic so it is not visible from the same host.

A solution is to run an offline diff and check for modified binaries and settings. You still have to manage regular snapshots similar to a backup. But then, why not re-image and restore backed up data?

It depends on the type of infection you are dealing with.
If your bios or firmware get modified by a malicious program, reinstalling may not work. Though rare, it is possible.

In my experience, pursue proper handling of permissions by restricting most users to userspace, refusing usb drive mounting or at the very least, disabling autorun or execution of code (mount read only). Have secure binaries or sources of required applications such as found in a secured central repository, or converting critical machines and processes if possible to a more secure operating system, such as OpenBSD, which has a lot of security (better permission schemes, groups, more flexible logging schemes, etc) out of the box.

Important to note, is that any machine connected to a network will be at risk. Have regular backups of data, avoid insecure browser plugins such as flash, java and silverlight/moonlight wherever possible.

Train staff in proper processes. Don't trust users, but let them do their jobs.

If machines do get infected and you have to reinstall, at least have a PXE or network boot installation for reducing downtime.

As everyone else as said, nuke that thing to death. That way there is no chance for failure. I mean theoretically, a bootkit could survive a nuke, but I don't see it being very likely that a bootkit has you infected.

Only thing I want to state different is be careful storing any important data before the whipe. Upload online, and not by usb. Any half decent strain of malware will have a usb spreader, that will infect any portable drives you put into your computer. So it's not good if you nuke the computer, then end up reinstalling the virus by mistake. So for safety:

-Upload all important files online
-Commence nuke
-During the nuke, go through any important online services and change passwords. Just to be safe, if any data has been compromised.
-Good to go

You could go through your system, and dig through the trenches for a week or two to find the malware and attempt to completely remove it .. or spend a day to whipe and reinstall.

I work for in the healthcare industry, and we manage people’s health records.

In the past, I have always been told to re-image when I worked for the government, and while there are many reasons, the best I thought was that you are 100% sure the threat is gone once you re-image.

I think the real question is(on weather to try and clean vs re-image): Are you protecting other people's information? If your financial or health records were at risk, would you want my company to take a chance and try to remove it? Or would you prefer my company, who safeguards YOUR information, re-images the machine? One way is a 100% guarantee it will be gone, while the other way you are taking a chance...

Again, if it is your home PC and you are deciding which method to use, you are only compromising yourself. But, if it is a company, trusted with other people’s information, then what is the call?

I am fighting this fight right now, and believe it or not I am losing. I need more data to back up my idea to re-image. Prior to this job, I work for a 3 letter Intelligence agency for a decade. I hate to think that we re-imaged THOUSANDS of machines, when all we had to do was clean the malware off? I guess the way the Feds though of this was, if lives are at stake, you don’t take a risk.

So the next question is: If your personal data is at stake, how much risk are you willing to take? Is cleaning malware an acceptable risk as opposed to re-imaging when your personal data (but not your life) is at risk?

When it comes to companies, and the bigger they are the more you are susceptible, cleaning has these problems:

Most likely, the task of cleaning gets relegated to tier 1 folks, who may or may not do the cleaning properly. Any tier 1 who re-images will remove the threat. Some tier 1 folks will clean properly, some won't.

You Google the threat, and you find a way to clean it. The problem is, most people who write malware don't give you a version number, do they? What we have seen, a common malware had a posted way to clean it up, and even a removal tool. However, since the post, the author of the malware changed their code, and the removal tool no longer works in that some of the malware now remains behind after you clean it, and re-downloads what was cleaned.

Within a company, if you look at what happens, sometimes the users get upset at multiple attempts to clean their workstation. Here is an example: a) User is infected, we send someone out to clean their machines, this take 30 minutes to time, where the user just goes for a long coffee. b) The next day, the malware is back, and once again we send in someone on the floor team to clean it once again. Same drill the users goes off for lunch and when he comes back, we tell the user all is good. c) The next day, after we have tried 2x to clean the users machine, we now tell the user we have to take the machine and re-image it(after we take a forensic image).

SUMMARY

What message does this send to the users? To me, I think it makes us look like we don't know what we are doing, and the user is interrupted several times, to which he complains about the loss of productivity to his boss, etc. If we just took the machine, from day 1, and re-imaged, that might have been a better solution (the user gets a replacement machine right away, downtime is less than 30 minutes).

So, while some malware is simple, the SOP you develop does not always suit all threats, and can cause more work and frustration for everyone when you try to clean vs re-image.

Check what exactly you're dealing with. Most antiviruses give your name of a threat and you can check description of threat online. If you got simple JS/Flash based cookie stealer that exploits hole in browser version that was out of date year ago, then forcing user to reconfigure everything just for the sake of "cargo cult security" ritual is pure idiocity. Nuking is only really necessary for low amount of threats that exploit deeper levels of system.

So how can you be SURE that you only have to deal with "common" threats? -1.
–
Terry ChiaFeb 2 '13 at 7:45

@TerryChia, check the last sentence. Nuking is an option, not something you do every time.
–
Oleg V. VolkovFeb 2 '13 at 9:52

1

@OlegV.Volkov I think what TerryChia is talking about how can you be sure that the threats that are at your workstation are only infected with "non-crucial" malware? Malware A may download Virus B, Trojan C, Backdoor D from a remote site to the workstation to cause more infection(steal more data) and impact(chaining effect).
–
wcypierreFeb 2 '13 at 11:10

@wcypierre, this would again be described in malware description. However if you wish to argue about "yet unknown effects", how can YOU be sure that RIGHT NOW your PC is not infected with super-stealthy malware controlling all your online life and that you not need to re-image RIGHT NOW? How can you be sure that it didn't stealth-copy itself to your image either? Can we please talk about practice and not rituals with imaginary begins (does that remind you of anything)?
–
Oleg V. VolkovFeb 4 '13 at 10:54